How to create mandatory profiles in Windows 10 Creators Update (1703)

How to create mandatory profiles in Windows 10 Creators Update (1703)

I wrote a comprehensive post a few years ago (God, it’s been that long?) on how to create mandatory profiles. When Windows 10 came along, mandatory profiles had been completely and utterly forgotten about, and simply didn’t work. After a while, they got around to fixing this, and I ended up recording a (rather long!) video about how to create them.

Unfortunately this had some issues around UWP apps, in that they seemed not to work very well when using a mandatory profile. And then, just as I was getting around to having a look at the WP issue, Microsoft released the Creators’ Update (1703). This, although it ostensibly brought back the capability to use the Copy Profile command to create a mandatory profile, also had the annoying effect of now breaking the Start Menu when you used a mandatory profile (thanks to Pim for the heads up on this issue). So, yesterday I set about cracking the issues that we had, so we needed to create a mandatory profile and test:-

a) Whether the Start Menu functions

b) Whether the UWP apps function

c) If both of the above still work OK when the user logs in to a second machine

Now, the only officially supported way to create a mandatory profile is by using Audit Mode to create a custom default user profile, and then using the Copy Profile command to move the customized default user profile to a network share. This is the way I’ve attacked it in the new video I’ve recorded. This article is intended to supplement that – and if you choose to do it the old-fashioned way, by copying an existing profile directly into a network share, you’re going to get problems. Believe me, I’ve tried!

Build a Windows 10 1703 machine and enter Audit Mode. You trigger Audit Mode when it reaches the screen that asks you which regional layout you want, and do it by pressing Ctrl-Shift-F3. The machine will then log you in and put up a sysprep prompt – click Cancel on this.

Once logged on, customize the environment how you want your mandatory profile to look. How much or how little you do probably really depends on what you are using the mandatory profile for. If you are using it as a base for a UEM product, then you probably don’t want much customization. If you’re using it for a kiosk or similar device, you may want a lot. Some of the things I find it handy to set are browser home pages, browser search provider, “show file extensions” in Explorer, change the default view in “This PC” away from Quick Access – it’s entirely up to you how much or how little you customize. Here’s how much I did – complete with “odd” icon placement so I can tell if it has worked 🙂

Now, this will restart the system and complete the installation, copying your user profile into the default user profile area.

After this, I normally apply all patches and join the domain. Once this is done, log on with a domain account that has access to your network share where you intend to store the profile, and open up the Advanced System Properties dialog. Click on the Advanced tab and then Settings. Highlight the Default Profile, and click Copy To

Enter the path that you wish to copy to, change Permitted to use to say Authenticated Users, and check the box for Mandatory profile (not that it appears to do anything, but hey, check it anyways)

This copies the Default Profile across to our file share – but it’s not done properly, sadly. Firstly, we need to set the permissions correctly. The filesystem needs to have the permissions set as below:-

ALL APPLICATION PACKAGES – Full Control (this is mega-important – without this set the Start Menu will fail)

Authenticated Users – Read and Execute

SYSTEM – Full Control

Administrators – Full Control

Once you have set these permissions on the parent folder ENSURE that you cascade them all the way down the filesystem, and also MAKE SURE that Administrators is the owner of all the files and folders as well.

Next we need to set the Registry permissions as well. Open up regedit.exe, select the HKEY_USERS hive, and choose the Load Hive option from the File menu. Browse to the network share where you copied the files to, and open up the ntuser.dat file that is in there. Give it a name, and you will see the named hive loaded under HKEY_USERS.

Right-click on the root of the hive you have loaded and select Permissions. The permissions in here will be wrong. Change them to match those set below exactly.

You must ensure that the RESTRICTED group is removed, otherwise you will be unable to log on and will get an Access Denied error. When you apply these permissions, you will get an error saying “unable to set security in some keys” – just ignore this.

Now, search the Registry hive for any instances of the username and delete them. If you want to be really thorough, search for the SID of the user too and remove any references to that.

After this I normally delete any Registry keys which I think are unnecessary. Policies keys can definitely go, I also tend to remove APPDATALOW from \Software and the (huge amount!) of Google references you will find within the Registry. It’s up to you how much you do here – certainly there are lots of redundant objects related to gaming, XBox and SkyDrive that could easily be taken out.

Once you’ve done this, highlight the root of the loaded hive again and choose File | Unload Hive from the menu in regedit.exe, otherwise you will lock the file and it will be unusable – VERY IMPORTANT!

After this, you can highlight the Registry transaction logs in the root of your file share and delete them – they’re not needed.

Next you can strim down the filesystem. Because the Copy Profile command ignores the AppData\Local and AppData\LocalLow folders, you shouldn’t have too much to do here. I normally just get rid of \AppData\Roaming\Adobe.

This usually takes the size of the mandatory profile down to just over 1MB, which is about right.

For the penultimate steps, rename the ntuser.dat file to ntuser.man (why the hell did the Mandatory check box not do this bit????), and then set a test user to use the mandatory profile in AD or GPO.

But there is one final step we need to take to ensure that UWP apps work in our mandatory profile. You need to set a GPO that allows roaming profiles (because mandatory profiles are simply read-only roaming profiles) to deploy UWP apps. The GPO is shown below, and if this isn’t set, no UWP apps will work (they will just hang indefinitely)

Once you’ve got this set, you can now test your mandatory profile – and it should work perfectly. If you want to reduce the logon time, then removing as many UWP apps as possible from the image will be your best bet – see many of my other articles for guides on how to do this.

Summary

I’m hoping this is the last time I have to go down the mandatory profiles route. But I’m willing to bet it’s not. Welcome to Windows 10 and the fast release schedule!

By James Rankin

Name

Email address(required)

Your message

Are you human?(required)

This field should be left blank

Please wait...

James is a solutions architect and strategist focused mainly on end-user computing technologies, cloud capability, automation, monitoring and directory services. He is also a well-regarded technical blogger, journalist and speaker, writing for several online publications as well as the HTG blog, and frequently found speaking at user groups, vendor conferences and online webinars.

James is passionate about providing the perfect user experience, always looking to design solutions that are simple, sustainable and easy-to-use. He works extensively with technologies from both large and small vendors and is always looking for new ways to enhance and extend the capabilities of the solutions we provide to our clients.

He has recently been admitted to the Citrix Technology Advocate (CTA), VMware vExpert and AppSense Community Advisor (ACA) programs in recognition of his contributions towards the EUC community and thought leadership within the virtualization space.

Comments

[…] You might find this article and video useful. How to create mandatory profiles in Windows 10 Creators Update (1703) Now, the only officially supported way to create a mandatory profile is by using Audit Mode to […]

[…] Profile Management 5.0 and newer has a mandatory profile feature. Alternatively, use the Microsoft method. Also see James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703). […]

Hi James
Just following your fantastic guide and noticed one thing. It seems setting the registry permissions for Authenticated Users to have read access (as opposed to full control like you did in your accompanying video) results in the message ‘The Group Policy Client service failed the sign-in. Access is denied’

This is at least the case with Windows 10 1607. I had to set the ‘Authenticated Users’ as having full control on the registry key in order for it to work correctly. I was able to toggle this single setting and replicate the behaviour.

FYI too – it seems skipping the sanitising step that you recommend (the registry search and destroy for the username) is what breaks the start menu. So other internet people – follow this guide, it actually works as opposed to the hopelessly vague guide on Microsoft’s site 🙂

Anyways, just thought you’d appreciate the feedback, you’ve helped an Aussie IT bro trying to work out the mandatory profile for 3100+ labs PCs out 🙂

We have followed these instructions to the letter, but cannot find a way of setting the ‘administrators’ built in group as the owner of the folder. Could you illuminate us on how this is accomplished. Whenever we try to set the ‘Administrators’ as the owner of the folder then an error is presented “An object (User, Group, or Built-in security principal) with the following name cannot be found “administrators”. Check the selected object types and locations for accuracy and ensure that you have typed the object name correctly, or removed this object from the selection.

It seemed to worked at first but then the next day both profiles can’t log in with this error

taskhostw (7180) WebCacheLocal: Database recovery failed with error -1216 because it encountered references to a database, ‘C:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat’, which is no longer present. The database was not brought to a Clean Shutdown state before it was removed (or possibly moved or renamed).
Any idea why?

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

DETAIL – Access is denied.

Which is strange because i can access the shared folder that contains the profile just fine,
And on the system the pc still says it’s connected to the correct domain..
Pinging to the server works too

Yes, just checked it, it’s owned by Domain name / Administrators
Any other ideas? Is this corrupted profile?
Yesterday = 2 terminal worked
today = 1 terminal worked, other one = we can’t sign in into your account
then after restarting once,
terminal 1 = There was a problem with your roaming profile blablabla
terminal 2 = we can’t sign in into your account

I’ve had about 6 weeks of fun trying to get Windows 10 1703 deployment working well with MDT with mandatory profiles for our users (Coming from Windows 7 / WDS so complete learning curve).

I followed this guide to try and create our mandatory profile but every single time I’d end up with a profile that just wasn’t right and for us, Edge just wouldn’t work.

Having fixed it and now having a working mandatory profile, the key is simply… DON’T CLICK THAT MANDATORY PROFILE CHECK BOX! Using regdiff, all it seems to do is add one regkey, I haven’t got notes but something like Environment\Mandatorysafe=1 but it also right royally messes up the permissions in the ntuser.dat file.

If you don’t click that box when copying the default profile to your network share and just specify Authenticated Users as Permitted to use, then you don’t need to touch the registry hive. Just rename it to ntuser.man and make sure your folder permissions are Domain admins: Full, System: Full, Authenticated Users / Domain Users (You pick): Read.

Although your users with the mandatory profile should work perfectly, any user that logs on to the computer with a local profile – say an admin – will have start menu issues. For this scenario, simply use the copyprofile=true command on a VM or a machine you can reimage again in order to copy the default profile and set copyprofile=false on the build you push out.

Of course everyone else’s mileage may vary but I’m happy with what I’ve got and hope it helps someone!

I have used your method to create both a default profile for staff which is used for creating their roaming profiles, as well as a mandatory profile for students. I am using an exported startlayout xml file for users to force their tile layout. There seems to be an issue with roaming profiles whereby if they don’t create properly, I find tiles are shown blank and clicking on them does nothing, sometimes the tiles are shown blank abd clicking runs the app. Also, tile groups and blank tiles within the groups are shown for apps that aren’t installed on the client, but are on the layout xml for use on desktops with those apps installed. I am updating my enterprise from 1511 Education to 1703 Education. I have found that loading and resaving the layout xml on the file share will partially fix the issue.

With enforced tile layout, I am finding that with staff profiles that roam, the 1st login creates the tile layout correclty on the 1703 client. When the user goes to login on a second desktop, all tiles are blank apart from from any universal tiles.Is this something you can verify?

Thank you for your post. Everything thus far has worked a treat. My problem now is that I’m trying to set an Automatic Logon for the AD profile which I have the profile path pointing to the share for. I would the PC to automatically login to this profile without a prompt for username and password. This is for a student lab. But after I set the Autologon details via the registry and reboot I get the following error on boot up: “The ProSvc service failed the sign-in. User Profile cannot be loaded”

Any idea James. I’m really stuck here, any help would be much appreciated

After Sysprep, When creating the account it says “Something went Wrong”. A “try again” boton appears, and after hitting it the account is created, but without the configurations of Internet Explorer, for example.

I’ve check that the ntuser.dat file in the “default” folder is been replaced, after the “Something went Wrong” message.

Hi James,
Thanks for the guide, its very clear and helpful!
I’ve created a profile that works well for Windows 10, however when a user with this mandatory profile tries to log on to a Windows 2016 server (via RDP) it fails to logon and show the following error:
The Group Policy client service failed the sign-in. Access is Denied.

I have tried setting the reg key, but it didn’t help. Also cleaning the mandatory profile hive as much as possible did not help. Or i cleaned the wrong items.
Have you ever come across this error, or have any ideas?

The administrators have ownership on the files and the registry keys and also full controll permissions. The profile seems to be working fine when logging on to a Windows 10 VDI desktop. But on a Windows 2016 server it fails. In the event log it show these alerts afte the logon attempt:
The winlogon notification subscriber failed a critical notification event. ID 6004
The winlogon notification subscriber failed a notification event. ID 6001

Hi James, sorry for the delayed response. It took a while to set things up.
With a mandatory profile created on Windows Server 2016 we get the same error logging on to the Windows 2016 RDP session. This profile doesn’t work with windows 10 either.
There was 1 difference in te process, when copying the default user profile there was no checkbox for mandatory profile.

Hi, i tried to do some more research. The moment the sign-in fails on the windows server 2016 session the following entry shows up in procmon: HKU\S-1-5-21-1417001333-308236825-682003330-22650 ACCESS DENIED for read/write

so for testing i gave the authenticated users groups Full control permissions on the reg hive of the .man file and now it works.

But i am not sure if setting full control permissions on the reg hive could be harmfull in any way to the mandatory profile. Is there a reason why it is set to read only?

I always set Full Control permissions on the whole Registry hive. Technically this would lead to a minor security issue, but you could always work around it by resetting the permissions to %USERNAME%\Full Control at first logon.

That’s interesting. The operating system sees a profile type based on the Registry value of HKLM\Software\Microsoft\Windows\CurrentVersion\ProfileList\[SID]\State (1 indicates mandatory). If you were to use a post-logon script to set this to 0 or 256, then run Skype, it might work? Obviously you would also need a logoff script to set the value back to 1 though, otherwise it would never get purged 🙂

You will also need to pull the user SID in the scripts to feed into the Registry edit. Here’s a couple of examples for doing it:-

For my multiseat setup im gonna need 9 different mandatory profiles.
Weird thing is the second mandatory profile that i created wont load even though i did exact same thing. I need to assign the second manprofile to second user, third to third user and so on..

Hello. No error, it just “spins” and never times out. It’s very odd. I tried making a copy of profile and setting up the permissions properly again, even going beyond that and enabling FULL CONTROL for everyone (on the profile and in the registry), still same result. I’m stumped.

Is there a way of the start menu tile having some basic ones as part of the MP such as maybe one for IE and one for File Explorer. I am having major issues using the “set start layout” gpo. my xml file is very basic (just IE and Explorer) but causes massive delay to logon time and the menu isn’t as the xml file was exported. permsissions on the xml file are set to allow access the same as the profile folder.

Thank you for a great article. It was really helpful and saved me tons of time.

It worked well with 1703.

Have you tried the same method with 1709?

I created a new mandatory profile (Following the same steps) on 1709 and it all appears to work, except Edge closes immediately (within 5 seconds) after launch. (All other UWP Apps are ok) An event log states –
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
Faulting module path:
C:\Windows\System32\Edgehtml.dll

I have tried it 3 / 4 times with the same outcome. (And tried with no GPOs being applied….Just in case).

When I remove the Mandatory profile and log in with a local or Roaming Profile if all works as expected.

Hi,
Could you do a video on your setup?
from start to now (including the update of the PVS).
are you using VDI or XenApp?
are you using “cache overflow to disk”?
are you using XenServer/Hyper-V/ESXI ?
have you upgrade/move to Server-2016 & Win10RS2/3?
do you have HA for DNS, DHCP, AD? how?
How do you upgrade to next version(apps, hypervisor, server)?

Thanks for the video/article. Just a quick question – do I need to move the profile to a share/DC to edit permissions or can I just keep it on the same machine and regedit/set permissions before moving it?

You can keep it on the same machine, if you want to add domain groups (like Authenticated Users) then just make sure you can see the domain. I generally move it to a file share first though just to keep everything separate for my sanity 🙂

IT HEALTH CHECK

HTG is currently offering a confidential review of IT systems and infrastructure to small and medium-sized businesses in North East England and the surrounding areas. As a local company offering a full range of IT services, we can give you expert, no-obligation advice on how to improve security and efficiency, and reduce costs.

Apply for your IT Health Check now using our online form or contact us for more information. One of our IT support team can usually get back to you the same day.